Access-based enumeration (ABE) displays only the files and folders
that a user has permissions to access. It is a feature that was
previously available as a downloadable package for the Windows Server
2003(but included from SP1). Access-based enumeration is now included in
the Windows Server 2008, and you can enable it by using Share and
Storage Management for the share were you want to enable it. For
example, if you enable access-based enumeration on a shared folder that
contains many users home directories, users who access the shared folder
can see only their personal home directories; other users folders are
hidden from view. This can also be used on shares such as common areas,
application areas and so on.
When planning your file server structure you should always keep in mind how you want to present the shares to the end user. If you are deploying your file server(s) in a domain I recommend that you take the advantage of DFS with domain-based namespace. The user will then be presented with a domain name which gives the user no relation to a server directly.
First you need to set your share and NTFS security settings right to get ABE to work:
On the folder that you are sharing you need to remove the Include inheritable permissions from the object’s parent (and then click “Add”).
You need to activate ABE in both Share and Storage Management (and on your DFS namespace if you are running DFS):
Share and Storage management:
enable ABE in DFS Management on your namespace:
So when my user is browsing the share where all home holders are listed it just shows the one it has access to: its own
If a user with full access browses the same folder – it will show all 5230 folders:
When planning your file server structure you should always keep in mind how you want to present the shares to the end user. If you are deploying your file server(s) in a domain I recommend that you take the advantage of DFS with domain-based namespace. The user will then be presented with a domain name which gives the user no relation to a server directly.
First you need to set your share and NTFS security settings right to get ABE to work:
On the folder that you are sharing you need to remove the Include inheritable permissions from the object’s parent (and then click “Add”).
You need to activate ABE in both Share and Storage Management (and on your DFS namespace if you are running DFS):
Share and Storage management:
enable ABE in DFS Management on your namespace:
So when my user is browsing the share where all home holders are listed it just shows the one it has access to: its own
If a user with full access browses the same folder – it will show all 5230 folders:
No comments:
Post a Comment